 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / Security / December 2003servlet calling servlet stopped by security
I have two servlets in the same tomcat webapp (A and B) both normally accessed from the web. Sometimes A needs to access B and I use http to do that. Actually 'B' is about a dozen other servlets, still all in the same webapp. This works just fine until I turn on security constraints. When I do that and request A the login form works as normal and invokes A correctly. But when A needs to invoke B I get another logon form instead of B. This would be okay, I can hack through that, but I only know the user name, not the password for A's session. Is there a simpler way to have one servlet in the same webapp invoke another without having to go through security? I cannot just do java to java, there are too many entry points (ie cases of 'B') They are all volatile and need to be exposed to the web. Thanks for your help Roger > I have two servlets in the same tomcat webapp (A and B) both normally > accessed from the web. Sometimes A needs to access B and I use http to [quoted text clipped - 14 lines] > Thanks for your help > Roger I may be misunderstanding the question; but I think you could just do a.getServletContext().getRequestDispatcher("/b").forward(request, response); or a.getServletContext().getRequestDispatcher("/b").include(request, response); Do you have single-sign-on enabled in Tomcat? Ordinarily Tomcat requires authentication for each resource. > I have two servlets in the same tomcat webapp (A and B) both normally > accessed from the web. Sometimes A needs to access B and I use http to [quoted text clipped - 14 lines] > Thanks for your help > Roger > Do you have single-sign-on enabled in Tomcat? Ordinarily Tomcat requires authentication for each resource. > [quoted text clipped - 16 lines] > > Thanks for your help > > Roger Bill: Single sign on allows you to sign on to multiple web apps, I am only using one web app. nobody? I think you are assuming the request to A is passed through to B. This is not the case. A makes several different requests to B (several different B's actually) during its life. There is no similarity between the A requests and the B requests. I managed to scrape together an answer so I'll put it here for others. What I really had to do was get the jsessionid into the request header to B and make it look like a cookie. This is achieved like so: // in the doPost method on A... String cookie = request.getHeader("cookie"); // gets me something like 'jsessionid=ABCDEF....' //... code to get the URLConnection to B urlConnection.setRequestProperty('cookie',cookie); The request to B is then treated as part of the same session as the request to A and does not require a fresh logon. As it happens all of the B requests are context free so there is no collision with session information. The only context I need to have is the logon. Thanks for the suggestions Roger Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.